Users logon with a UPN User Principal Name. The
domain of the UPN need not match the
user's object domain. In some cases, users may use an e-mail address as the UPN
which does not match the user's object domain. The Global Catalog
must be searched for a user object with the matching UPN to determine the logon
domain, so that the logon can
proceed.

Logon with UPN tyoung1234@hotmail.comè

Lookup UPN in AD to determine
logon domain

If the domain logon fails, Windows may
still allow access to the local computer. Windows caches the last few domain
logon credentials. If the domain logon fails, Windows check the name/password
combination against the cached credentials and allows local access if the
credentials are OK. In this situation network resources are unavailable without
authentication.

For the logon to succeed, all group memberships
must be determined. Universal Groups memberships are potentially the most
difficult to resolve given that they can be created in any domain and have
potential members from any domain. To resolve this difficulty, universal group
membership is published in the Global Catalog. If a Global Catalog server is not
available at logon, universal group membership cannot be determined. If no GC is
available, administrators will logon without the authority of their universal
group memberships. Other users will logon with cached credentials and will not
have network access.

Logon with UPN è

Domain Controller è

Global Catlog lookup for
universal group membership

Kerberos Authentication

Kerberos is an authentication protocol
developed at MIT in project Athena. Kerberos is known in mythology as the
three-headed dog guardian of Hades. Microsoft has replaced the NTChaps protocol
used in Windows NT with Kerberos which is the authentication protocol for the
Active Directory. Kerberos authentication is managed by KDC Key Distribution
Center servers. Windows Server Domain Controllers provide the KDC service.

Before connecting to a server, a client must
obtain a session ticket from a KDC domain controller. The tick is only valid for
sessions between that particular client and the particular server. Another
ticket is required to connection to another server.

Ticket

from KDC

for session with
serverè

Clients store the Kerberos tickets in a memory
area known as the ticket cache. The Resource Kit utility KERBTRAY can display
and purge the ticket cache.